Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Git Commit Signing: Code we can trust?

Git Commit Signing: Code we can trust?

When we install software on our computers we have to trust the package maintainers that it's secure.

If someone slips a hack into homebrew all of our machines could become vulnerable.

But what about our own code? * When we deploy to production, how do we know we can trust it? * What if someone pushes a hack to our github? * Will CI still push it to production?

It turns out Git has a cool feature that can help us trust the code we deploy. We'll discuss Git Commit Signing, how it can help us, and what downsides it may have.

Talk given at the London Ruby User Group (LRUG) at Skillmatter in London on Monday 12th February 2018

Matthew Rudy Jacobs

February 12, 2018

More Decks by Matthew Rudy Jacobs

Other Decks in Technology


  1. • brew install gpg • gpg --full-generate-key • git config

    --global user.signingKey MYKEYID • git config --global commit.gpgsign true
  2. SECURITY IS HARD!!! What if someone breaks into your laptop?

    What if you don't notice a malicious change? What if someone hacks github? How do you expire an old key? What if a trusted employee goes rogue? What if someone compromises your CI? What if someone has a quantum computer?